UBUNTU-CVE-2023-41081

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2023-41081

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-41081.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2023-41081

Related

Published

2023-09-13T10:15:00Z

Modified

2023-09-13T10:15:00Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Important: Authentication Bypass CVE-2023-41081 The modjk component of Apache Tomcat Connectors in some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the configuration did not provide explicit mounts for all possible proxied requests, modjk would use an implicit mapping and map the request to the first defined worker. Such an implicit mapping could result in the unintended exposure of the status worker and/or bypass security constraints configured in httpd. As of JK 1.2.49, the implicit mapping functionality has been removed and all mappings must now be via explicit configuration. Only modjk is affected by this issue. The ISAPI redirector is not affected. This issue affects Apache Tomcat Connectors (modjk only): from 1.2.0 through 1.2.48. Users are recommended to upgrade to version 1.2.49, which fixes the issue. History 2023-09-13 Original advisory 2023-09-28 Updated summary

References

Affected packages

Ubuntu:Pro:16.04:LTS / libapache-mod-jk

Package

Name: libapache-mod-jk
Purl: pkg:deb/ubuntu/libapache-mod-jk?arch=src?distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:1.2.41-1ubuntu0.1~esm1

Affected versions

1:1.*

1:1.2.40+svn150520-1

1:1.2.41-1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1:1.2.41-1ubuntu0.1~esm1",
            "binary_name": "libapache-mod-jk-doc"
        },
        {
            "binary_version": "1:1.2.41-1ubuntu0.1~esm1",
            "binary_name": "libapache2-mod-jk"
        },
        {
            "binary_version": "1:1.2.41-1ubuntu0.1~esm1",
            "binary_name": "libapache2-mod-jk-dbgsym"
        }
    ]
}

Ubuntu:Pro:18.04:LTS / libapache-mod-jk

Package

Name: libapache-mod-jk
Purl: pkg:deb/ubuntu/libapache-mod-jk?arch=src?distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:1.2.43-1ubuntu0.1~esm1

Affected versions

1:1.*

1:1.2.42-1

1:1.2.43-1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1:1.2.43-1ubuntu0.1~esm1",
            "binary_name": "libapache-mod-jk-doc"
        },
        {
            "binary_version": "1:1.2.43-1ubuntu0.1~esm1",
            "binary_name": "libapache2-mod-jk"
        },
        {
            "binary_version": "1:1.2.43-1ubuntu0.1~esm1",
            "binary_name": "libapache2-mod-jk-dbgsym"
        }
    ]
}

Ubuntu:20.04:LTS / libapache-mod-jk

Package

Name: libapache-mod-jk
Purl: pkg:deb/ubuntu/libapache-mod-jk?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:1.2.46-1ubuntu0.1

Affected versions

1:1.*

1:1.2.46-1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1:1.2.46-1ubuntu0.1",
            "binary_name": "libapache-mod-jk-doc"
        },
        {
            "binary_version": "1:1.2.46-1ubuntu0.1",
            "binary_name": "libapache2-mod-jk"
        },
        {
            "binary_version": "1:1.2.46-1ubuntu0.1",
            "binary_name": "libapache2-mod-jk-dbgsym"
        }
    ]
}

Ubuntu:22.04:LTS / libapache-mod-jk

Package

Name: libapache-mod-jk
Purl: pkg:deb/ubuntu/libapache-mod-jk?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:1.2.48-1ubuntu0.1

Affected versions

1:1.*

1:1.2.48-1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1:1.2.48-1ubuntu0.1",
            "binary_name": "libapache-mod-jk-doc"
        },
        {
            "binary_version": "1:1.2.48-1ubuntu0.1",
            "binary_name": "libapache2-mod-jk"
        },
        {
            "binary_version": "1:1.2.48-1ubuntu0.1",
            "binary_name": "libapache2-mod-jk-dbgsym"
        }
    ]
}

Ubuntu:24.04:LTS / libapache-mod-jk

Package

Name: libapache-mod-jk
Purl: pkg:deb/ubuntu/libapache-mod-jk?arch=src?distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:1.2.49-1

Affected versions

1:1.*

1:1.2.48-2

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1:1.2.49-1",
            "binary_name": "libapache-mod-jk-doc"
        },
        {
            "binary_version": "1:1.2.49-1",
            "binary_name": "libapache2-mod-jk"
        },
        {
            "binary_version": "1:1.2.49-1",
            "binary_name": "libapache2-mod-jk-dbgsym"
        }
    ]
}